This routine is responsible for UTMP logging. As you can read, after zeroing out the ‘ut’ structure, it starts initializing its members. From the equivalent header file (bftpdutmp.h) we can read the definition of this structure…

After initializing the process ID field with the current process’ ID, it checks if the type passed to it as an argument is non-zero. If this is the case, it will assign the ‘type’ value to the equivalent member of the ‘bftpdutmp’ structure and then use strncpy(3) library routine to copy the username and the remote hostname to ‘bu_name’ and ‘bu_host’ respectively. If the remote hostname is equal, or longer than 256 characters, strncpy(3) will not have sufficient space to add the NULL termination and because of this, the ‘bu_host’ array will seem like it ends at the NULL termination of ‘bu_name’ buffer. Because of this, processing of this buffer results in invalid operations. To fix this simple vulnerability, the following patch was applied: